1、配置网络yum源
# 1 yum 调整
mkdir /etc/yum.repos.d/bak -p
mv /etc/yum.repos.d/* /etc/yum.repos.d/bak
cat > /etc/yum.repos.d/CentOS-Base.repo << EOF
[base]
name=CentOS-\$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/\$releasever/os/\$basearch/
http://mirrors.aliyuncs.com/centos/\$releasever/os/\$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=os
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6
#released updates
[updates]
name=CentOS-\$releasever - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/\$releasever/updates/\$basearch/
http://mirrors.aliyuncs.com/centos/\$releasever/updates/\$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=updates
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-\$releasever - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/\$releasever/extras/\$basearch/
http://mirrors.aliyuncs.com/centos/\$releasever/extras/\$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=extras
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-\$releasever - Plus - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/\$releasever/centosplus/\$basearch/
http://mirrors.aliyuncs.com/centos/\$releasever/centosplus/\$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=centosplus
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-\$releasever - Contrib - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/\$releasever/contrib/\$basearch/
http://mirrors.aliyuncs.com/centos/\$releasever/contrib/\$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=contrib
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6
EOF
cat > /etc/yum.repos.d/epel.repo << EOF
[epel]
name=Extra Packages for Enterprise Linux 6 - \$basearch
baseurl=http://mirrors.aliyun.com/epel/6/\$basearch
http://mirrors.aliyuncs.com/epel/6/\$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=\$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 6 - \$basearch - Debug
baseurl=http://mirrors.aliyun.com/epel/6/\$basearch/debug
http://mirrors.aliyuncs.com/epel/6/\$basearch/debug
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=\$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=0
[epel-source]
name=Extra Packages for Enterprise Linux 6 - \$basearch - Source
baseurl=http://mirrors.aliyun.com/epel/6/SRPMS
http://mirrors.aliyuncs.com/epel/6/SRPMS
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=\$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=0
EOF
2、关闭selinux
#查看selinux的状态
cat /etc/selinux/config | grep "SELINUX=" | egrep -v "^#"
SELINUX=enforcing
#关闭selinux,将状态改为disabled
[root@MyLinux-6 ~]# sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
[root@MyLinux-6 ~]# getenforce 在命令行下查看selinux的状态
Enforcing
[root@MyLinux-6 ~]# setenforce 0 让selinux的状态在命令行下生效
[root@MyLinux-6 ~]# getenforce 再次查看selinux的状态
Permissive
3、关闭没有用的开机起动项
#CentOS 6的使用方法
for oldboy in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $oldboy off;done
for oldboy in crond network rsyslog sshd;do chkconfig --level 3 $oldboy on;done
chkconfig --list | grep 3:on
#CentOS 5的使用方法
for oldboy in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $oldboy off;done
for oldboy in crond network syslog sshd;do chkconfig --level 3 $oldboy on;done
chkconfig --list | grep 3:on
4、关闭iptables防火墙
[root@MyLinux-6 ~]# /etc/init.d/iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@MyLinux-6 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.
5、修改ssh配置
cd /etc/ssh/
/bin/cp sshd_config sshd_config.rfjer.`date +%Y%m%d`
#修改远程登陆端口
[root@MyLinux-6 ssh]# sed -i "s#\#Port 22#Port 52113#g" sshd_config
[root@MyLinux-6 ssh]# cat sshd_config | grep "Port"
#禁止root登陆
sed -i "s#\#PermitRootLogin yes#PermitRootLogin no#g" sshd_config
cat sshd_config | grep "PermitRootLogin"
#禁止空密码登陆
sed -i "s#\#PermitEmptyPasswords no#PermitEmptyPasswords no#g" sshd_config
cat sshd_config | grep "PermitEmptyPasswords"
#不使用DNS
sed -i "s#\#UseDNS yes#UseDNS no#g" sshd_config
cat sshd_config | grep "UseDNS"
/etc/init.d/sshd restart
6、修改中文字符集
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.rfjer.`date +%Y%m%d`
echo 'LANG="zh_CN.UTF-8"' > /etc/sysconfig/i18n
source /etc/sysconfig/i18n
7、时间同步
yum -y install wget unzip vim man bc gcc gcc-c++ openssl openssl-devel kernel kernel-devel kernel-headers rsync lftp bash bash-completion bash-argsparse ncurses ncurses-devel bison bison-devel openssh-clients automake autoconf cmake gd gd-devel curl curl-devel libxml2 libxml2-devel sysstat telnet net-snmp net-snmp-devel pcre pcre-devel mlocate libmcrypt libmcrypt-devel libxslt libxslt-devel lrzsz glibc ntpdate iftop lsof
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime -rf
echo '*/5 * * * * /usr/sbin/ntpdate ntp.sjtu.edu.cn' >> /var/spool/cron/root
echo 'TIMEZONE="Asia/Shanghai"' > /etc/sysconfig/clock
/usr/sbin/ntpdate ntp.sjtu.edu.cn
#CentOS 6
/usr/sbin/ntpdate time.nist.gov
echo '#time sync by rfjer at '`date +%Y%m%d` >> /var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >> /var/spool/cron/root
#CentOS 5
/sbin/ntpdate time.nist.gov
echo '#time sync by rfjer at '`date +%Y%m%d` >>/var/spool/cron/root
echo '*/5 * * * * /sbin/ntpdate time.nist.gov >/dev/null 2>&1' >> /var/spool/cron/root
8、加大文件描述符
echo '* - nofile 65535' >>/etc/security/limits.conf
6、调整内核参数
/bin/cp /etc/sysctl.conf /etc/sysctl.conf.rfjer.`date +%Y%m%d`
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max=25000000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
EOF
[root@MyLinux-5 ssh]# sysctl -p
如果报以上错误,可以不用和,这是由于iptables关闭导致的
CentOS 5优化批处理脚本
cd /etc/yum.repos.d/
/bin/mv CentOS-Base.repo CentOS-Base.repo.rfjer.`date +%Y%m%d`
wget http://mirrors.sohu.com/help/CentOS-Base-sohu.repo
/bin/mv CentOS-Base-sohu.repo CentOS-Base.repo
yum makecache
yum -y install lrzsz sysstat
yum -y upgrade
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
setenforce 0
for oldboy in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $oldboy off;done
for oldboy in crond network syslog sshd;do chkconfig --level 3 $oldboy on;done
chkconfig --list | grep 3:on
/etc/init.d/iptables stop
cd /etc/ssh/
/bin/cp sshd_config sshd_config.rfjer.`date +%Y%m%d`
sed -i "s#\#Port 22#Port 52113#g" sshd_config
sed -i "s#\#PermitRootLogin yes#PermitRootLogin no#g" sshd_config
sed -i "s#\#PermitEmptyPasswords no#PermitEmptyPasswords no#g" sshd_config
sed -i "s#\#UseDNS yes#UseDNS no#g" sshd_config
/etc/init.d/sshd restart
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.rfjer.`date +%Y%m%d`
echo 'LANG="zh_CN.gb18030"' > /etc/sysconfig/i18n
source /etc/sysconfig/i18n
/sbin/ntpdate time.nist.gov
echo '#time sync by rfjer at '`date +%Y%m%d` >> /var/spool/cron/root
echo '*/5 * * * * /sbin/ntpdate time.nist.gov > /dev/null 2>&1' >>/var/spool/cron/root
echo '* - nofile 65535' >> /etc/security/limits.conf
/bin/cp /etc/sysctl.conf /etc/sysctl.conf.rfjer.`date +%Y%m%d`
cat >> /etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max=25000000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
EOF
sysctl -p
useradd rfjer
echo 'junfeng' | passwd --stdin rfjer
sed -i `grep -n "^root" /etc/sudoers | cut -d ':' -f 1`'a rfjer ALL=(ALL) ALL' /etc/sudoers
history -c
CentOS 6优化批处理脚本
cd /etc/yum.repos.d/
/bin/mv CentOS-Base.repo CentOS-Base.repo.rfjer.`date +%Y%m%d`
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
/bin/mv CentOS6-Base-163.repo CentOS-Base.repo
yum makecache
yum -y install lrzsz sysstat
yum -y upgrade
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
setenforce 0
for oldboy in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $oldboy off;done
for oldboy in crond network rsyslog sshd;do chkconfig --level 3 $oldboy on;done
chkconfig --list | grep 3:on
/etc/init.d/iptables stop
cd /etc/ssh/
/bin/cp sshd_config sshd_config.rfjer.`date +%Y%m%d`
sed -i "s#\#Port 22#Port 52113#g" sshd_config
sed -i "s#\#PermitRootLogin yes#PermitRootLogin no#g" sshd_config
sed -i "s#\#PermitEmptyPasswords no#PermitEmptyPasswords no#g" sshd_config
sed -i "s#\#UseDNS yes#UseDNS no#g" sshd_config
/etc/init.d/sshd restart
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.rfjer.`date +%Y%m%d`
echo 'LANG="zh_CN.gb2312"' > /etc/sysconfig/i18n
source /etc/sysconfig/i18n
/usr/sbin/ntpdate time.nist.gov
echo '#time sync by rfjer at '`date +%Y%m%d` >> /var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1' >>/var/spool/cron/root
echo '* - nofile 65535' >> /etc/security/limits.conf
/bin/cp /etc/sysctl.conf /etc/sysctl.conf.rfjer.`date +%Y%m%d`
cat >> /etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max=25000000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
EOF
sysctl -p
useradd rfjer
echo 'junfeng' | passwd --stdin rfjer
sed -i `grep -n "^root" /etc/sudoers | cut -d ':' -f 1`'a rfjer ALL=(ALL) ALL' /etc/sudoers
history -c